package se.swedenconnect.opensaml.xmlsec.encryption.support;

import com.google.common.base.Strings;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.MGF1ParameterSpec;
import java.util.Collection;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import javax.crypto.spec.SecretKeySpec;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.encryption.EncryptionMethod;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.encryption.XMLCipherInput;
import org.apache.xml.security.encryption.XMLEncryptionException;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.DecryptionParameters;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.encryption.EncryptedKey;
import org.opensaml.xmlsec.encryption.EncryptedType;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import sun.security.rsa.RSAPadding;

/* loaded from: input_file:se/swedenconnect/opensaml/xmlsec/encryption/support/Pkcs11Decrypter.class */
public class Pkcs11Decrypter extends Decrypter {
    private static final Logger log = LoggerFactory.getLogger(Pkcs11Decrypter.class);
    private boolean testMode;
    private KeyInfoCredentialResolver _kekResolver;

    public Pkcs11Decrypter(DecryptionParameters decryptionParameters) {
        super(decryptionParameters);
        this.testMode = false;
        this._kekResolver = decryptionParameters.getKEKKeyInfoCredentialResolver();
    }

    public Pkcs11Decrypter(KeyInfoCredentialResolver keyInfoCredentialResolver, KeyInfoCredentialResolver keyInfoCredentialResolver2, EncryptedKeyResolver encryptedKeyResolver) {
        super(keyInfoCredentialResolver, keyInfoCredentialResolver2, encryptedKeyResolver);
        this.testMode = false;
        this._kekResolver = keyInfoCredentialResolver2;
    }

    public Pkcs11Decrypter(KeyInfoCredentialResolver keyInfoCredentialResolver, KeyInfoCredentialResolver keyInfoCredentialResolver2, EncryptedKeyResolver encryptedKeyResolver, Collection<String> collection, Collection<String> collection2) {
        super(keyInfoCredentialResolver, keyInfoCredentialResolver2, encryptedKeyResolver, collection, collection2);
        this.testMode = false;
        this._kekResolver = keyInfoCredentialResolver2;
    }

    @Nonnull
    public Key decryptKey(@Nonnull EncryptedKey encryptedKey, @Nonnull String str, @Nonnull Key key) throws DecryptionException {
        if (key == null || !((AlgorithmSupport.isRSAOAEP(encryptedKey.getEncryptionMethod().getAlgorithm()) && this.testMode) || "sun.security.pkcs11.P11Key$P11PrivateKey".equals(key.getClass().getName()))) {
            return super.decryptKey(encryptedKey, str, key);
        }
        try {
            for (Credential credential : this._kekResolver.resolve(buildCredentialCriteria(encryptedKey, getKEKResolverCriteria()))) {
                try {
                } catch (DecryptionException e) {
                    log.debug("Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed: ", e);
                }
                if (RSAPublicKey.class.isInstance(credential.getPublicKey())) {
                    return decryptKey(encryptedKey, str, CredentialSupport.extractDecryptionKey(credential), ((RSAPublicKey) credential.getPublicKey()).getModulus().bitLength());
                }
            }
        } catch (ResolverException e2) {
            log.error("Error resolving credentials from EncryptedKey KeyInfo", e2);
        }
        log.error("Failed to decrypt EncryptedKey, failed to find out the keylength for private key");
        throw new DecryptionException("Valid decryption key for EncryptedKey could not be resolved");
    }

    @Nonnull
    public Key decryptKey(@Nonnull EncryptedKey encryptedKey, @Nonnull String str) throws DecryptionException {
        if (!AlgorithmSupport.isRSAOAEP(encryptedKey.getEncryptionMethod().getAlgorithm())) {
            return super.decryptKey(encryptedKey, str);
        }
        if (this._kekResolver == null) {
            log.warn("No KEK KeyInfo credential resolver is available, cannot attempt EncryptedKey decryption");
            throw new DecryptionException("No KEK KeyInfo resolver is available for EncryptedKey decryption");
        }
        if (Strings.isNullOrEmpty(str)) {
            log.error("Algorithm of encrypted key not supplied, key decryption cannot proceed.");
            throw new DecryptionException("Algorithm of encrypted key not supplied, key decryption cannot proceed.");
        }
        try {
            for (Credential credential : this._kekResolver.resolve(buildCredentialCriteria(encryptedKey, getKEKResolverCriteria()))) {
                try {
                    return RSAPublicKey.class.isInstance(credential.getPublicKey()) ? decryptKey(encryptedKey, str, CredentialSupport.extractDecryptionKey(credential), ((RSAPublicKey) credential.getPublicKey()).getModulus().bitLength()) : super.decryptKey(encryptedKey, str, CredentialSupport.extractDecryptionKey(credential));
                } catch (DecryptionException e) {
                    log.debug("Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed: ", e);
                }
            }
        } catch (ResolverException e2) {
            log.error("Error resolving credentials from EncryptedKey KeyInfo", e2);
        }
        log.error("Failed to decrypt EncryptedKey, valid decryption key could not be resolved");
        throw new DecryptionException("Valid decryption key for EncryptedKey could not be resolved");
    }

    @Nonnull
    protected Key decryptKey(@Nonnull EncryptedKey encryptedKey, @Nonnull String str, @Nonnull Key key, int i) throws DecryptionException {
        if (!this.testMode && !"sun.security.pkcs11.P11Key$P11PrivateKey".equals(key.getClass().getName())) {
            return super.decryptKey(encryptedKey, str, key);
        }
        if (Strings.isNullOrEmpty(str)) {
            log.error("Algorithm of encrypted key not supplied, key decryption cannot proceed.");
            throw new DecryptionException("Algorithm of encrypted key not supplied, key decryption cannot proceed.");
        }
        validateAlgorithms(encryptedKey);
        try {
            checkAndMarshall(encryptedKey);
            preProcessEncryptedKey(encryptedKey, str, key);
            try {
                XMLCipher providerInstance = getJCAProviderName() != null ? XMLCipher.getProviderInstance(getJCAProviderName()) : XMLCipher.getInstance();
                providerInstance.init(4, key);
                try {
                    Element dom = encryptedKey.getDOM();
                    org.apache.xml.security.encryption.EncryptedKey loadEncryptedKey = providerInstance.loadEncryptedKey(dom.getOwnerDocument(), dom);
                    if (i == -1) {
                        log.debug("Keysize of private key is not known, will have to find corresponding certificate ...");
                    }
                    try {
                        Key customizedDecryptKey = customizedDecryptKey(loadEncryptedKey, str, key, i);
                        if (customizedDecryptKey == null) {
                            throw new DecryptionException("Key could not be decrypted");
                        }
                        return customizedDecryptKey;
                    } catch (Exception e) {
                        throw new DecryptionException("Probable runtime exception on decryption:" + e.getMessage(), e);
                    } catch (XMLEncryptionException e2) {
                        log.error("Error decrypting encrypted key", e2);
                        throw new DecryptionException("Error decrypting encrypted key", e2);
                    }
                } catch (XMLEncryptionException e3) {
                    log.error("Error when loading library native encrypted key representation", e3);
                    throw new DecryptionException("Error when loading library native encrypted key representation", e3);
                }
            } catch (XMLEncryptionException e4) {
                log.error("Error initialzing cipher instance on key decryption", e4);
                throw new DecryptionException("Error initialzing cipher instance on key decryption", e4);
            }
        } catch (DecryptionException e5) {
            log.error("Error marshalling EncryptedKey for decryption", e5);
            throw e5;
        }
    }

    private Key customizedDecryptKey(org.apache.xml.security.encryption.EncryptedKey encryptedKey, String str, Key key, int i) throws XMLEncryptionException {
        byte[] bytes = new XMLCipherInput(encryptedKey).getBytes();
        try {
            String jCAProviderName = getJCAProviderName();
            Cipher cipher = jCAProviderName != null ? Cipher.getInstance("RSA/ECB/NoPadding", jCAProviderName) : Cipher.getInstance("RSA/ECB/NoPadding");
            cipher.init(2, key);
            byte[] doFinal = cipher.doFinal(bytes);
            if (doFinal.length < i / 8) {
                byte[] bArr = new byte[i / 8];
                System.arraycopy(doFinal, 0, bArr, bArr.length - doFinal.length, doFinal.length);
                doFinal = bArr;
            }
            EncryptionMethod encryptionMethod = encryptedKey.getEncryptionMethod();
            return new SecretKeySpec(RSAPadding.getInstance(4, i / 8, new SecureRandom(), constructOAEPParameters(encryptionMethod.getAlgorithm(), encryptionMethod.getDigestAlgorithm(), encryptionMethod.getMGFAlgorithm(), encryptionMethod.getOAEPparams())).unpad(doFinal), JCEMapper.getJCEKeyAlgorithmFromURI(str));
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new XMLEncryptionException(e);
        }
    }

    private OAEPParameterSpec constructOAEPParameters(String str, String str2, String str3, byte[] bArr) {
        String translateURItoJCEID = str2 != null ? JCEMapper.translateURItoJCEID(str2) : "SHA-1";
        PSource.PSpecified pSpecified = PSource.PSpecified.DEFAULT;
        if (bArr != null) {
            pSpecified = new PSource.PSpecified(bArr);
        }
        MGF1ParameterSpec mGF1ParameterSpec = new MGF1ParameterSpec("SHA-1");
        if ("http://www.w3.org/2009/xmlenc11#rsa-oaep".equals(str)) {
            if ("http://www.w3.org/2009/xmlenc11#mgf1sha256".equals(str3)) {
                mGF1ParameterSpec = new MGF1ParameterSpec("SHA-256");
            } else if ("http://www.w3.org/2009/xmlenc11#mgf1sha384".equals(str3)) {
                mGF1ParameterSpec = new MGF1ParameterSpec("SHA-384");
            } else if ("http://www.w3.org/2009/xmlenc11#mgf1sha512".equals(str3)) {
                mGF1ParameterSpec = new MGF1ParameterSpec("SHA-512");
            }
        }
        return new OAEPParameterSpec(translateURItoJCEID, "MGF1", mGF1ParameterSpec, pSpecified);
    }

    private CriteriaSet buildCredentialCriteria(@Nonnull EncryptedType encryptedType, @Nullable CriteriaSet criteriaSet) {
        CriteriaSet criteriaSet2 = new CriteriaSet();
        criteriaSet2.add(new KeyInfoCriterion(encryptedType.getKeyInfo()));
        if (criteriaSet != null && !criteriaSet.isEmpty()) {
            criteriaSet2.addAll(criteriaSet);
        }
        if (!criteriaSet2.contains(UsageCriterion.class)) {
            criteriaSet2.add(new UsageCriterion(UsageType.ENCRYPTION));
        }
        return criteriaSet2;
    }

    public void setTestMode(boolean z) {
        this.testMode = z;
    }
}
